Azure Virtual Network (VNet) is a logically isolated virtual network on Azure and the foundation of every workload running on the platform. VNet design is an area where "once built, it is extremely hard to rebuild," so the quality of the initial design affects every subsequent network, security, and operational decision. This article organizes Azure VNet implementation best practices across CIDR design, subnet partitioning, security integration, and operational know-how.
Azure VNet is a logical network concept equivalent to on-premises VLANs or subnets. A single VNet is tied to one Azure region and defines its IP address space with a CIDR block (e.g., 10.0.0.0/16). Resources inside the VNet (VMs, App Service Environment, Storage Account Private Endpoints, AKS, etc.) can communicate as part of the same network segment, while external communication is allowed only through explicitly permitted paths (Internet Gateway, NAT Gateway, VPN Gateway, ExpressRoute Gateway, Peering) — a design philosophy close to zero trust.
CIDR design for a VNet is the single most important decision. Shrinking or changing CIDR after the fact is hard (some expansion is possible), and any change typically requires a delete-and-rebuild rehost of the VNet.
The standard pattern is to split the VNet into function-specific subnets. Azure's standard 3-tier architecture pattern:
| Subnet Name | Recommended Size | Purpose | Notes |
|---|---|---|---|
| GatewaySubnet | /27 | VPN Gateway / ExpressRoute Gateway | Azure reserved name required |
| AzureFirewallSubnet | /26 | Azure Firewall | Azure reserved name required |
| AzureBastionSubnet | /26 | Azure Bastion | Azure reserved name required |
| WebSubnet | /24 | Web Tier (Frontend VM / AKS Ingress) | NSG required |
| AppSubnet | /24 | Application Tier (Backend VM / AKS Node) | NSG required |
| DBSubnet | /24 | Database Tier (Private Endpoint placement) | NSG required; block public traffic |
| ManagementSubnet | /27 | Jumpbox for management access | NSG allows access only from Bastion |
Azure's reserved names (GatewaySubnet, AzureFirewallSubnet, AzureBastionSubnet) must be created with their exact names. Creating them under wrong names causes deployment errors when the corresponding services are deployed.
Azure reserves a total of 5 IPs per subnet — the first 4 and the last 1. Example: in 10.0.0.0/24, the following are reserved.
Usable IPs are 10.0.0.4 to 10.0.0.254 — 251 in total. A /27 (32 IPs) yields only 27 usable, so subnets that host IP-heavy resources like AKS Nodes or App Service Environment should be sized up (/22 or larger).
VNet Peering is the mechanism that directly connects two VNets.
Peering pricing is traffic-only (no hourly charge): Regional Peering is 0.01 USD/GB inbound/outbound, and Global Peering is 0.035-0.06 USD/GB inbound/outbound (varies by region). For interconnecting three or more VNets, a full-mesh peering arrangement becomes operationally complex, so the standard play is to migrate to Hub-Spoke or Virtual WAN. See Hub-Spoke vs Virtual WAN Complete Comparison for details.
Traffic inside a VNet is protected with defense in depth.
| Layer | Key Capabilities | Pricing | Use Case |
|---|---|---|---|
| NSG | L3-L4 stateful firewall, IP/Port/Protocol based | Free | Applied by default to every VNet |
| ASG | Logically groups NSG rules | Free | Manage rules by VM role |
| Azure Firewall | L3-L7 managed firewall, FQDN, Threat Intel, TLS inspection (Premium) | Tens of thousands to over 100k yen/month | Org-wide egress control at the Hub of Hub-Spoke |
| NVA | Partner virtual appliances (Palo Alto, Check Point, Cisco) | VM cost + license | Reuse existing firewall skills |
| DDoS Protection | DDoS protection (Network / IP plans) | Hundreds of thousands of yen/month and up | Public services with high availability requirements |
The baseline pattern is to always apply NSG, and add Azure Firewall at the Hub as needed. Using both together is standard — they play complementary roles.
VNet DNS settings offer three options: 'Azure-provided DNS (Default),' 'Custom DNS (on-prem DC IP),' and 'Private DNS Zone.'
Common real-world failure patterns:
Microsoft certifications are the most efficient way to learn VNet topics systematically.
See Azure Network Engineer Career Roadmap for details.
What is an Azure VNet?
Azure Virtual Network (VNet) is a logically isolated virtual network on Azure, equivalent to on-premises VLANs or subnets. Resources inside a VNet (VMs, App Service, Storage Account Private Endpoints, AKS, etc.) can communicate as part of the same network segment, while external communication is allowed only through explicitly permitted paths — a design philosophy close to zero trust. A single VNet is tied to one Azure region and defines its IP address space with a CIDR block (e.g., 10.0.0.0/16). Since the quality of your initial design affects every subsequent network, security, and operational decision, getting it right from the start is critical.
How should I design the CIDR for a VNet?
Choose from RFC 1918 private IP space (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), avoiding future expansion conflicts, peering overlap with other VNets, and overlap with on-premises networks. The recommended strategy is to assign 10.x.x.x/16 (65,536 addresses) to each environment (Dev / Stage / Prod). Split subnets at /27 minimum (32 addresses, 27 usable after Azure's 5 reserved IPs) and divide them by role (Web, App, DB, Bastion, Gateway). Because a botched CIDR design forces a delete-and-rebuild rehost of the VNet, the iron rule is to secure a sufficiently large (/16 recommended) address space from day one.
What is the standard subnet partitioning pattern?
Azure's standard 3-tier architecture pattern: 1) GatewaySubnet (/27, for VPN Gateway / ExpressRoute Gateway only), 2) AzureFirewallSubnet (/26, for Azure Firewall only), 3) AzureBastionSubnet (/26, for Azure Bastion only), 4) WebSubnet (/24, Web Tier VMs / AKS Nodes), 5) AppSubnet (/24, Application Tier), 6) DBSubnet (/24, Database Tier with Private Endpoints), and 7) ManagementSubnet (/27, jumpbox for management access). Apply an NSG (Network Security Group) to each subnet for traffic control. Azure's reserved names (GatewaySubnet, AzureFirewallSubnet, AzureBastionSubnet) must be created with those exact names.
What is the difference between VNet Peering and VPN Gateway?
VNet Peering directly connects two VNets over the Azure backbone, offering low latency, high bandwidth, and traffic-only billing (no hourly charge). VPN Gateway connects a VNet to an external network (on-prem or another Azure VNet) via an IPsec tunnel, incurring hourly Gateway VM charges (tens of thousands of yen per month and up). VNet-to-VNet connections inside the same Azure tenant should use VNet Peering. Global Peering (cross-region) offers the same functionality as same-region peering but at a higher per-unit price. For interconnecting three or more VNets, migrating to Hub-Spoke or Virtual WAN is the practical choice.
How do I choose between NSG and Azure Firewall?
An NSG (Network Security Group) is an L3-L4 stateful firewall applied at the subnet or NIC level, with simple Allow/Deny rules defined by IP/Port/Protocol. It is free and applied by default to every VNet. Azure Firewall is a managed L7 firewall deployed per VNet, offering advanced features like FQDN filtering, Threat Intelligence, TLS inspection (Premium), and IDPS (Premium). Pricing runs from tens of thousands to over a hundred thousand yen per month. Design principle: use NSG always for basic network segmentation, and add Azure Firewall when you need organization-wide egress control (placed at the Hub of Hub-Spoke) or advanced filtering. Using both together is standard — they play complementary roles.
What are Azure's reserved IP addresses?
Azure reserves 5 IPs in every subnet — the first 4 and the last 1. Example: in 10.0.0.0/24, the reserved IPs are 10.0.0.0 (Network Address), 10.0.0.1 (Default Gateway), 10.0.0.2 / 10.0.0.3 (Azure DNS mapping), and 10.0.0.255 (Broadcast), leaving 251 usable IPs from 10.0.0.4 to 10.0.0.254. A /27 (32 IPs) yields only 27 usable. If you ignore these reservations during CIDR design, you'll hit IP exhaustion despite math that 'looks fine.' For subnets hosting IP-heavy resources like AKS or App Service Environment, we strongly recommend sizing up (/22 or larger).
What are the common VNet design pitfalls?
Common pitfalls: 1) CIDR too small leading to IP exhaustion (starting with /24 often gets exhausted by a single AKS cluster), 2) Subnet names different from Azure's reserved names (GatewaySubnet, AzureFirewallSubnet, etc. require exact names), 3) CIDR overlap with on-prem (breaks routing for VPN/ExpressRoute connections), 4) Cost explosion from overusing Global Peering (consider Virtual WAN instead), 5) Exposing public-IP VMs without an NSG (a textbook security incident), 6) Misusing Service Endpoint vs Private Endpoint and losing the benefits of Private Link, 7) Leaving VNet DNS settings at Default so Private DNS Zone stops working. Careful planning at the early design stage dramatically reduces later pain.
Which certifications cover VNet?
AZ-104 (Administrator) covers VNet fundamentals in Domain 4 (Virtual networking, 15-20%). AZ-700 (Network Engineer Associate) covers large-scale network design including VNet. AZ-305 (Solutions Architect Expert) covers network design judgment in Domain 4. In practice, the standard path is AZ-104 for VNet basics and AZ-700 for large-scale design. Deep VNet understanding underpins every Azure service design, so it is an essential skill for every engineer working with Azure. See the Azure Network Engineer Career Roadmap article for details.
Related Articles & Deep Dives
Azure Firewall 完全ガイド|Basic/Standard/Premium 選定・Rule 設計・Firewall Manager【2026 年版】
Azure Firewall の完全ガイド。Basic/Standard/Premium SKU 選定、Application Rule と Network Rule の使い分け、DNAT Rule、Firewall Manager と Firewall Policy、FQDN タグ、Forced Tunneling、NSG との使い分け、関連認定試験 (AZ-700 / SC-100) を日本語で網羅。
Azure NSG / ASG 設計集|Network Security Group ルール設計・Application Security Group 活用パターン【2026 年版】
Azure の NSG (Network Security Group) と ASG (Application Security Group) の完全設計ガイド。ルール優先度・Service Tags・3-tier ASG 設計パターン・NSG Flow Logs・Traffic Analytics・落とし穴・関連認定試験 (AZ-700 / SC-100) を日本語で網羅。
Azure Network Watcher トラブルシューティング完全ガイド|Connection Troubleshoot・IP Flow Verify・Packet Capture【2026 年版】
Azure Network Watcher の完全ガイド。Connection Troubleshoot・IP Flow Verify・Next Hop・Packet Capture・NSG Flow Logs・Connection Monitor・Traffic Analytics・Effective Routes など全機能解説。標準トラブルシューティングフロー、関連認定試験 (AZ-700 / AZ-305 / SC-200) を日本語で網羅。
Azure DDoS Protection 完全ガイド|Network/IP Protection・Always On Detection・WAF 組み合わせ【2026 年版】
Azure DDoS Protection の完全ガイド。DDoS Network Protection vs IP Protection vs Infrastructure Protection の使い分け、Always On Detection・Adaptive Tuning・Cost Protection、Application Gateway / Front Door WAF との組み合わせ、Microsoft DRR サポート、関連認定試験 (AZ-700 / SC-100) を日本語で網羅。
Technical information in this article is based on the Azure Virtual Network Documentation. This article is not an official Microsoft Corporation product and has no affiliation or sponsorship. Microsoft and Azure are trademarks of the Microsoft group of companies. Information is based on official public materials as of May 24, 2026. Always consult the official pages for the latest information.
Practice with certification-focused question sets
View Azure exam prep pageNicheeLab Editorial Team
NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.
AZ-900 Azure Fundamentals: Complete Exam Guide (2026)
Pass AZ-900 — cloud concepts, Azure architecture, management...
Azure Certification Roadmap: Which Cert to Take Next (2026)
Choose your Azure certification path — Fundamentals, Associa...
AI-901 Azure AI Fundamentals (Beta): Complete Guide (2026)
Pass AI-901 — Microsoft Foundry, generative AI, responsible ...
Microsoft Entra ID Fundamentals for Azure Certs (2026)
Entra ID basics every cert candidate needs — tenants, identi...
DP-900 Azure Data Fundamentals: Complete Guide (2026)
Pass DP-900 — relational, non-relational, analytics, Power B...